pcap-parser 0.4.0

Parser for the PCAP/PCAPNG format

PCAP and PCAPNG parsers

This crate contains several parsers for PCAP and PCAPNG files.

The code is available on Github and is part of the Rusticata project.

Example: generic parsing

The following code shows how to parse a file either in PCAP or PCAPNG format.

# extern crate nom;
# extern crate pcap_parser;
use pcap_parser::*;
use nom::IResult;
use std::fs::File;
use std::io::Read;

# fn main() {
# let path = "/tmp/file.pcap";
let mut file = File::open(path).unwrap();
let mut buffer = Vec::new();
file.read_to_end(&mut buffer).unwrap();
let mut num_packets = 0;
// try pcap first
match PcapCapture::from_file(&buffer) {
Ok(capture) => {
println!("Format: PCAP");
for _packet in capture.iter_packets() {
num_packets += 1;
_ => ()
// otherwise try pcapng
match PcapNGCapture::from_file(&buffer) {
Ok(capture) => {
println!("Format: PCAPNG");
// most pcaps have one section, with one interface
// global iterator - provides a unified iterator over all
// sections and interfaces. It will usually work only if there
// is one section with one interface
// otherwise, the next iteration code is better
for _packet in capture.iter_packets() {
// num_packets += 1;
// The following code iterates all sections, for each section
// all interfaces, and for each interface all packets.
// Note that the link type can be different for each interface!
println!("Num sections: {}", capture.sections.len());
for (snum,section) in capture.sections.iter().enumerate() {
println!("Section {}:", snum);
for (inum,interface) in section.interfaces.iter().enumerate() {
println!("    Interface {}:", inum);
println!("        Linktype: {:?}", interface.header.linktype);
// ...
for _packet in section.iter_packets() {
num_packets += 1;
_ => ()
# }

The above code requires the file to be entirely loaded into memory. Other functions in this crate allows for writing streaming parsers. See pcap-tools for examples.